From: "Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Laurent Georget <laurent-AyimVQWTEHzsq35pWSNszA@public.gmane.org>,
Laurent Georget
<laurent.georget-vbcOdlJ0SulGWvitb5QawA@public.gmane.org>,
Nikos Mavrogiannopoulos
<nmav-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
tytso-3s7WtUTddSA@public.gmane.org, "Thomas Hühn" <t@2uo.de>,
"Stephan Mueller"
<smueller-T9tCv8IpfcWELgA04lAiVw@public.gmane.org>,
"Carl Winbäck" <c@tunnel53.net>,
mpm-VDJrAJ4Gl5ZBDgjK7y7TUQ@public.gmane.orgt
Subject: Re: New random(7) page for review
Date: Tue, 15 Nov 2016 07:19:41 +0100 [thread overview]
Message-ID: <97ac8ec9-5527-fd0f-dce1-21ef6037ad2f@gmail.com> (raw)
In-Reply-To: <54e6e40c-b840-c773-e739-7faed9664411-AyimVQWTEHzsq35pWSNszA@public.gmane.org>
Hi Laurent,
On 11/12/2016 03:03 PM, Laurent Georget wrote:
> Hello,
>
> Le 12/11/2016 à 13:25, Michael Kerrisk (man-pages) a écrit :
>> [...]
>>
>> Does anyone see any further tweaks that might be required?
>>
>
> I put my comments directly in the rendered text below.
>
>>
>>
>> RANDOM(7) Linux Programmer's Manual RANDOM(7)
>>
>> NAME
>> random - overview of interfaces for obtaining randomness
>>
>> DESCRIPTION
>> The kernel provides the following interfaces to the kernel's cryp‐
>> tographically secure pseudorandom number generator (CSPRNG):
>>
>> * The /dev/urandom and /dev/random devices, both described in
>> random(4). These devices have been present on Linux since
>> early times.
>>
>> * The getrandom(2) system call, available since Linux 3.17. This
>> system call provides access either to the same source as
>> /dev/urandom (called the urandom source in this page) or to the
>> same source as /dev/random (called the random source in this
>> page). The default is the urandom source; the random source is
>> selected by specifying the GRND_RANDOM flag to the system call.
>>
>
> We could highlight here that /dev/urandom and /dev/random exist in many
> UNIX-like systems while getrandom(2) is Linux-specific. This can be
> important for developers writing cross-platform code.
Agreed. I added some words to address this.
>> Initialization of the entropy pool
>> The kernel collects bits of entropy from the environment. When a
>> sufficient number of random bits has been collected, the urandom
>> entropy pool is considered to be initialized.
>>
>
> the *random* entropy pool? Or maybe just the entropy pool?
Yes. Changed to just "entropy pool"
>> Choice of random device
>> Unless you are doing long-term key generation (and most likely not
>> even then), you probably shouldn't be using getrandom(2) with the
>> GRND_RANDOM flag or the /dev/random device.
>>
>> Instead, use either getrandom(2) without the GRND_RANDOM flag or
>> the /dev/urandom device. The cryptographic algorithms used for
>> the urandom source are quite conservative, and so should be suffi‐
>> cient for all purposes.
>>
>> The disadvantage of GRND_RANDOM and reads from /dev/random is that
>> the operation can block. Furthermore, dealing with the partially
>> fulfilled requests that can occur when using GRND_RANDOM or when
>> reading from /dev/random increases code complexity.
>>
>
> This is not a precision that was present in the previous version of the
> pages but we should write here "The disadvantage of GRND_RANDOM and reads
> from /dev/random is that the operation can block *for an indefinite
> amount of time*".
Yes. Added.
> I don't think we can reach the extreme case where no bits of entropy are
> ever collected, but we can imagine a situation with two processes, one
> having hig priority and the other low priority, both reading from
> /dev/random. If the high priority process consumes entropy quicklier
> than it's collected, the low priority process won't wake up ever.
> This is how you get robots stuck on Mars!
>
>> Usage recommendations
>> The kernel random-number generator relies on entropy gathered from
>> device drivers and other sources of environmental noise. It is
>> designed to produce a small amount of high-quality seed material
>> to seed a cryptographically secure pseudorandom number generator
>> (CSPRNG). It is designed for security, not speed, and is poorly
>> suited to generating large amounts of cryptographic random data.
>> Users should be economical in the amount of seed material that
>> they consume via getrandom(2), /dev/urandom, and /dev/random.
>> Consuming unnecessarily large quantities of data via these inter‐
>> faces will have a negative impact on other consumers of random‐
>> ness.
>>
>> These interfaces should not be used to provide large quantities of
>> data for Monte Carlo simulations or other programs/algorithms
>> which are doing probabilistic sampling. Indeed, such usage is
>> unnecessary (and will be slow). Instead, use these interfaces to
>> provide a small amount of data used to seed a user-space pseudo‐
>> random number generator for use by such applications.
>>
>> Comparison between getrandom, /dev/urandom, and /dev/random
>> The following table summarizes the behavior of the various inter‐
>> faces that can be used to obtain randomness. GRND_NONBLOCK is a
>> flag that can be used to control the blocking behavior of getran‐
>> dom(2).
>>
>> ┌──────────────┬──────────────┬──────────────────┬────────────────────┐
>> │Interface │ Pool │ Blocking │ Behavior in early │
>> │ │ │ behavior │ boot time │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │/dev/random │ Blocking │ If entropy too │ Blocks until │
>> │ │ pool │ low, block until │ enough entropy │
>> │ │ │ there is enough │ gathered │
>> │ │ │ entropy again │ │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>
> "If entropy too low, *blocks* until there is enough entropy again"
Fixed.
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │/dev/urandom │ CSPRNG out‐ │ Never blocks │ Returns output │
>> │ │ put │ │ from uninitialized │
>> │ │ │ │ CSPRNG (may be low │
>> │ │ │ │ entropy and │
>> │ │ │ │ unsuitable for │
>> │ │ │ │ cryptography) │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │getrandom() │ Same as │ Does not block │ Blocks until pool │
>> │ │ /dev/urandom │ once pool ready │ ready │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │getrandom() │ Same as │ If entropy too │ Blocks until pool │
>> │GRND_RANDOM │ /dev/random │ low, block until │ ready │
>> │ │ │ there is enough │ │
>> │ │ │ entropy again │ │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │getrandom() │ Same as │ Does not block │ EAGAIN if pool not │
>> │GRND_NONBLOCK │ /dev/urandom │ │ ready │
>> ├──────────────┼──────────────┼──────────────────┼────────────────────┤
>> │getrandom() │ Same as │ EAGAIN if not │ EAGAIN if pool not │
>> │GRND_RANDOM + │ /dev/random │ enough entropy │ ready │
>> │GRND_NONBLOCK │ │ available │ │
>> └──────────────┴──────────────┴──────────────────┴────────────────────┘
>> Generating cryptographic keys
>> The amount of seed material required to generate a cryptographic
>> key equals the effective key size of the key. For example, a
>> 3072-bit RSA or Diffie-Hellman private key has an effective key
>> size of 128 bits (it requires about 2^128 operations to break) so
>> a key generator needs only 128 bits (16 bytes) of seed material
>> from /dev/random.
>>
>> While some safety margin above that minimum is reasonable, as a
>> guard against flaws in the CSPRNG algorithm, no cryptographic
>> primitive available today can hope to promise more than 256 bits
>> of security, so if any program reads more than 256 bits (32 bytes)
>> from the kernel random pool per invocation, or per reasonable
>> reseed interval (not less than one minute), that should be taken
>> as a sign that its cryptography is not skillfully implemented.
>>
>> SEE ALSO
>> getrandom(2), random(4), urandom(4), signal(7)
>>
>>
>
> Cheers,
> Laurent
>
>
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-11-15 6:19 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 8:48 [PATCH] Update the random(4) documentation towards a more accurate view on /dev/urandom Nikos Mavrogiannopoulos
[not found] ` <1461574090.32558.45.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-04-25 15:46 ` George Spelvin
[not found] ` <20160425154605.7445.qmail-HzZAx2gCgqrSUeElwK9/Pw@public.gmane.org>
2016-04-26 14:46 ` Nikos Mavrogiannopoulos
[not found] ` <1461681983.15804.76.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-04-26 16:58 ` George Spelvin
[not found] ` <20160426165847.5804.qmail-HzZAx2gCgqrSUeElwK9/Pw@public.gmane.org>
2016-11-09 15:26 ` Michael Kerrisk (man-pages)
[not found] ` <8a990d27-1fc2-8358-f9d3-c9474d6d8616-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-10 8:21 ` Nikos Mavrogiannopoulos
[not found] ` <1478766102.2642.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-11-10 11:29 ` Michael Kerrisk (man-pages)
2016-08-01 11:48 ` Nikos Mavrogiannopoulos
[not found] ` <1470052099.2926.6.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-10-20 8:37 ` Nikos Mavrogiannopoulos
[not found] ` <1476952646.2522.10.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-10-21 7:21 ` Michael Kerrisk (man-pages)
[not found] ` <8a5e82db-6f8a-2426-4a68-feab205bca57-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-10-21 14:07 ` Stephan Mueller
[not found] ` <2402524.TIv9Kdt40z-gNvIQDDl/k7Ia13z/PHSgg@public.gmane.org>
2016-10-21 14:38 ` Nikos Mavrogiannopoulos
[not found] ` <1477060710.3888.14.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-10-21 14:55 ` Stephan Mueller
2016-10-21 16:33 ` Theodore Ts'o
[not found] ` <20161021163314.cvhjgr4s7lfzdsve-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-10-21 16:50 ` Stephan Mueller
[not found] ` <4610047.a51zB7LfZj-gNvIQDDl/k7Ia13z/PHSgg@public.gmane.org>
2016-10-21 17:56 ` Theodore Ts'o
[not found] ` <20161021175633.5x5mp2xv3wq4ejjf-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-10-21 18:00 ` Stephan Mueller
2016-11-01 9:35 ` Nikos Mavrogiannopoulos
[not found] ` <1477992912.3769.22.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-11-09 14:58 ` Michael Kerrisk (man-pages)
2016-11-09 15:23 ` Michael Kerrisk (man-pages)
[not found] ` <b07fb334-149d-cf65-74f3-1d1951e5981b-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-10 8:54 ` Nikos Mavrogiannopoulos
[not found] ` <1478768067.2642.23.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-11-10 9:11 ` Laurent Georget
[not found] ` <3b7ba39b-0434-47ca-7857-257f3c99266b-AyimVQWTEHzsq35pWSNszA@public.gmane.org>
2016-11-10 11:56 ` Michael Kerrisk (man-pages)
2016-11-10 11:50 ` Michael Kerrisk (man-pages)
[not found] ` <e5c1f87c-aad0-b526-a346-74348a36c2a3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-10 11:53 ` Nikos Mavrogiannopoulos
[not found] ` <1478778837.2642.26.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-11-10 11:56 ` Michael Kerrisk (man-pages)
[not found] ` <05152136-6943-8ada-3d65-51ef4ce9c1b1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-10 14:19 ` Michael Kerrisk (man-pages)
2016-11-10 14:20 ` [PATCH] random.4: Improve discussion or urandom, blocking reads, and signals Michael Kerrisk (man-pages)
[not found] ` <4a8c573c-0c19-29d0-248e-74c088968806-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-11 10:28 ` Laurent Georget
[not found] ` <d5eca965-c8b9-51e5-6acb-172e47f85ba0-vbcOdlJ0SulGWvitb5QawA@public.gmane.org>
2016-11-11 11:51 ` Michael Kerrisk (man-pages)
2016-11-12 12:25 ` New random(7) page for review Michael Kerrisk (man-pages)
[not found] ` <cb25213c-a70d-cbf1-6a42-959dcdc1f202-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-11-12 14:03 ` Laurent Georget
[not found] ` <54e6e40c-b840-c773-e739-7faed9664411-AyimVQWTEHzsq35pWSNszA@public.gmane.org>
2016-11-15 6:19 ` Michael Kerrisk (man-pages) [this message]
2016-11-13 22:20 ` Theodore Ts'o
[not found] ` <20161113222041.ypnz3sdm3fmjprnn-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-11-15 6:41 ` Michael Kerrisk (man-pages)
2016-11-14 8:06 ` Nikos Mavrogiannopoulos
[not found] ` <1479110801.2624.2.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-11-15 6:10 ` Michael Kerrisk (man-pages)
2016-11-11 16:05 ` [PATCH] random.4: Improve discussion or urandom, blocking reads, and signals Theodore Ts'o
[not found] ` <20161111160514.yrlfteowdz4qar76-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-11-12 10:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97ac8ec9-5527-fd0f-dce1-21ef6037ad2f@gmail.com \
--to=mtk.manpages-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=c@tunnel53.net \
--cc=laurent-AyimVQWTEHzsq35pWSNszA@public.gmane.org \
--cc=laurent.georget-vbcOdlJ0SulGWvitb5QawA@public.gmane.org \
--cc=linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mpm-VDJrAJ4Gl5ZBDgjK7y7TUQ@public.gmane.orgt \
--cc=nmav-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=smueller-T9tCv8IpfcWELgA04lAiVw@public.gmane.org \
--cc=t@2uo.de \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).